US10348681B2ActiveUtilityA1

Centralized secure offload of security services for distributed security enforcement points

47
Assignee: GEARHART CURTIS MPriority: Jan 24, 2007Filed: Jan 24, 2007Granted: Jul 9, 2019
Est. expiryJan 24, 2027(~0.6 yrs left)· nominal 20-yr term from priority
H04L 63/1408H04L 63/04H04L 63/0823H04L 2209/76H04L 63/0485H04L 63/0209
47
PatentIndex Score
0
Cited by
12
References
15
Claims

Abstract

Embodiments of the present invention provide methods, systems and computer program products for the centralized, secure offloading of security services for distributed security enforcement points. In an embodiment, a network data processing system can be configured for centralized secure offload of security services for distributed security enforcement points and can include a set of security enforcement points controlling communication flows between devices in different less trusted zones of protection. The system also can include a security server communicatively coupled to the security enforcement points and hosting security services logic disposed in a more trusted zone of protection. Each of the security enforcement points can include an interface to the security services logic and program code enabled to offload security related services processing through the interface to the security services logic disposed in the more trusted zone of protection.

Claims

exact text as granted — not AI-modified
We claim: 
     
       1. A security server, comprising
 an interface connected to:
 a first security enforcement point disposed between a public zone of protection and a demilitarized zone of protection that is more trusted than the public zone of protection, 
 a second security enforcement point disposed in a communication path between a content server, within the demilitarized zone of protection, and an application server in an application zone of protection, 
 a third security enforcement point disposed in a communication path between the application server and a data server in an enterprise zone of protection, 
 a fourth security enforcement point disposed in a communication path between the data server and an Intranet client disposed in an Intranet zone of protection; and 
 
 a hardware processor configured to execute the following executable operations:
 obtaining, from access requests received via the interface from each of the security enforcement points, respective access parameters, and 
 performing respective security services using the respective access parameters to generate respective security results, and 
 forwarding, via the interface, the respective security results to the security enforcement points, wherein 
 
 the security server is disposed within the enterprise zone of protection, 
 each of the security enforcement points are configured to regulate communication flows between devices respectively disposed within zones of protection separated by a particular security enforcement point, 
 the security services are performed on the communication flows between the devices, and 
 the respective security results are forwarded to the security enforcement points to be used in performing the security services on the communications flows between the devices. 
 
     
     
       2. The security server of  claim 1 , wherein
 each of the security enforcement points includes security logic configured to generate an access request relating to a passage of data through a respective security enforcement point and between different zones of protection. 
 
     
     
       3. The security server of  claim 2 , wherein
 the access request relates to regulation of the data through the respective security enforcement point. 
 
     
     
       4. The security server of  claim 2 , wherein
 the access request relates to monitoring the data through the respective security enforcement point. 
 
     
     
       5. The security server of  claim 1 , wherein
 the security services include key public/private key services. 
 
     
     
       6. A computer-implemented method within a security server, comprising:
 receiving, via an interface within the security server, information from:
 a first security enforcement point disposed between a public zone of protection and a demilitarized zone of protection that is more trusted than the public zone of protection, 
 a second security enforcement point disposed in a communication path between a content server, within the demilitarized zone of protection, and an application server in an application zone of protection, 
 a third security enforcement point disposed in a communication path between the application server and a data server in an enterprise zone of protection, 
 a fourth security enforcement point disposed in a communication path between the data server and an Intranet client disposed in an Intranet zone of protection; and 
 
 obtaining, from access requests received via the interface from each of the security enforcement points, respective access parameters, and 
 performing respective security services using the respective access parameters to generate respective security results, and 
 forwarding, via the interface, the respective security results to the security enforcement points, wherein 
 the security server is disposed within the enterprise zone of protection, 
 each of the security enforcement points are configured to regulate communication flows between devices respectively disposed within zones of protection separated by a particular security enforcement point, 
 the security services are performed on the communication flows between the devices, and 
 the respective security results are forwarded to the security enforcement points to be used in performing the security services on the communications flows between the devices. 
 
     
     
       7. The method of  claim 6 , wherein
 each of the security enforcement points includes security logic configured to generate an access request relating to a passage of data through a respective security enforcement point and between different zones of protection. 
 
     
     
       8. The method of  claim 7 , wherein
 the access request relates to regulation of the data through the respective security enforcement point. 
 
     
     
       9. The method of  claim 7 , wherein
 the access request relates to monitoring the data through the respective security enforcement point. 
 
     
     
       10. The method of  claim 6 , wherein
 the security services include key public/private key services. 
 
     
     
       11. A computer program product, comprising:
 a hardware storage device having stored therein computer-readable program code, 
 the computer-readable program code, which when executed by a security server, causes the security server to perform:
 receiving, via an interface within the security server, information from:
 a first security enforcement point disposed between a public zone of protection and a demilitarized zone of protection that is more trusted than the public zone of protection, 
 a second security enforcement point disposed in a communication path between a content server, within the demilitarized zone of protection, and an application server in an application zone of protection, 
 a third security enforcement point disposed in a communication path between the application server and a data server in an enterprise zone of protection, 
 a fourth security enforcement point disposed in a communication path between the data server and an Intranet client disposed in an Intranet zone of protection; and 
 
 obtaining, from access requests received via the interface from each of the security enforcement points, respective access parameters, and 
 performing respective security services using the respective access parameters to generate respective security results, and 
 forwarding, via the interface, the respective security results to the security enforcement points, wherein 
 
 the security server is disposed within the enterprise zone of protection, 
 each of the security enforcement points are configured to regulate communication flows between devices respectively disposed within zones of protection separated by a particular security enforcement point, 
 the security services are performed on the communication flows between the devices, and 
 the respective security results are forwarded to the security enforcement points to be used in performing the security services on the communications flows between the devices. 
 
     
     
       12. The method of  claim 11 , wherein
 each of the security enforcement points includes security logic configured to generate an access request relating to a passage of data through a respective security enforcement point and between different zones of protection. 
 
     
     
       13. The method of  claim 12 , wherein
 the access request relates to regulation of the data through the respective security enforcement point. 
 
     
     
       14. The method of  claim 12 , wherein
 the access request relates to monitoring the data through the respective security enforcement point. 
 
     
     
       15. The method of  claim 11 , wherein
 the security services include key public/private key services.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.